This week, advisories were released for courier, pinball, kernel, mysql, gd,
tete, libwmf, mutt, php4, mozilla, and freetype2. The distributors include Debian,
Mandriva, and SuSE.

Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

PHP has grown to become one of the most popular scripting languages on
the web. It offers many possibilities to its users, from building a
complex and innovative content management system to forming a simplistic
family photo album. PHP is also a useful programming language in that
it helps eliminate redundancy while promoting time-saving and dynamic
methodology. With PHP and an object-oriented approach (OO), using PHP
has countless advantages. Peter Lavin's highlights this and more in
Object-Oriented PHP.

Audience:

Lavin's approach makes this book very easy to read, however, this is
not meant for the novice programmer. Lavin expects that the reader
has some knowledge of PHP or C, HTML, and CSS. Lavin is not shy about
jumping right into the programming terminology as he warns the reader
of this in the opening chapter. If you are familiar with PHP, read
it. If you are familiar with OO, read it. This will get your feet wet
and eventually soak you all the way through. If you plan on using PHP
to create your dynamic website, have this book ready.

Summary:

Lavin begins with the cliche "What Does This Book Have to Offer?" and
"Why Should I Read This Book?". Naturally, an advanced programmer
would overlook these sections, but it is surprising how much OO and
PHP go hand-in-hand (even without realizing it). He also gives a quick
rundown of each chapter and the histories of PHP and OO.

The purpose of OO is to help simplify your work with PHP. Lavin uses
the example of a global menu - instead of copying and pasting the same
snippet of code for each page, use an include and, viola, your
keystrokes and right mouse clicks do not have to be used in vain.
Simplicity cuts down the losses in time and energy objects that
programmers cannot spare.

Chapters 2 through 9 are overviews of object orientation, OO
features in PHP 5, and classes. The first sightings of actual code
do not appear until the fourth chapter when Lavin introduces his
DirectoryItems class. Eventually, he offers enough code for the reader
to create his/her own image navigation interface to begin a working
photo album (complete with file browsing, pagination, and, of course,
use of MySQL).

Later chapters dive deeper into the concepts and tools learned from
the first half of the book. MySQL exceptions and trappings are
covered in Chapter 10, while Lavin introduces advanced methods and
techniques, such as reflection classes, using XML and CSS, in
Chapters 11 through 16.

Opinion:

What I would like to see more of is AJAX and PHP. Peter Lavin
admits that he is not the one to give a tutorial on such a subject,
however, he does tease us with a paragraph that sets us up for
building a foundation on AJAX. He also graciously provides us with
a URL for further investigation.

As you continue your journey with PHP, do so with the use of OO
and the inheritance of effective, time-saving methods. PHP and OO
allow you to do so as Lavin clearly suggests in Object-Oriented
PHP. This is not a PHP Bible, by any means, but it is a useful
book to add to your library.

EnGarde
Secure Linux v3.0.7 Now Available - Guardian Digital is happy to
announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release
7). This release includes several bug fixes and feature enhancements to
the Guardian Digital WebTool and the SELinux policy, several updated packages,
and several new packages available for installation.

Linux
File & Directory Permissions Mistakes - One common mistake Linux
administrators make is having file and directory permissions that are far
too liberal and allow access beyond that which is needed for proper system
operations. A full explanation of unix file permissions is beyond the scope
of this article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one is available
right here on linuxsecurity.com.

Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.

Mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and
5.1.x before 5.1.6 allows remote authorized users to cause a denial of
service (crash) via a NULL second argument to the str_to_date function.
MySQL 4.0.18 in Corporate 3.0 and MNF 2.0 is not affected by this issue.
Packages have been patched to correct this issue.

The LZW decoding in the gdImageCreateFromGifPtr function in
the Thomas Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows
remote attackers to cause a denial of service (CPU consumption) via malformed
GIF data that causes an infinite loop. gd-2.0.15 in Corporate 3.0 is not
affected by this issue. Packages have been patched to correct this issue.

Integer overflows were reported in the GD Graphics Library (libgd)
2.0.28, and possibly other versions. These overflows allow remote attackers
to cause a denial of service and possibly execute arbitrary code via PNG
image files with large image rows values that lead to a heap-based buffer
overflow in the gdImageCreateFromPngCtx() function. Tetex contains an
embedded copy of the GD library code.

Integer overflows were reported in the GD Graphics Library (libgd)
2.0.28, and possibly other versions. These overflows allow remote attackers
to cause a denial of service and possibly execute arbitrary code via PNG
image files with large image rows values that lead to a heap-based buffer
overflow in the gdImageCreateFromPngCtx() function. Libwmf contains an
embedded copy of the GD library code. (CAN-2004-0941) Updated packages
have been patched to address this issue.

A stack-based buffer overflow in the browse_get_namespace function
in imap/browse.c of Mutt allows remote attackers to cause a denial of
service (crash) or execute arbitrary code via long namespaces received
from the IMAP server. Updated packages have been patched to address this
issue.

The freetype2 library renders TrueType fonts for open source
projects. More than 900 packages on SUSE Linux use this library. Therefore
the integer overflows in this code found by Josh Bressers and Chris Evans
might have a high impact on the security of a desktop system. The bugs
can lead to a remote denial-of-service attack and may lead to remote command
execution. The user needs to use a program that uses freetype2 (almost
all GUI applications do) and let this program process malicious font data.